fix: Always apply containerd patches

This commit ensures that applying containerd patches always happens. Previously,
this only happened if mirror configuration was provided, which meant that patches
such as enabling containerd metrics were never applied to containerd config.

By bundling the apply patches and restart containerd script in the same handler,
we ensure they both always get run.

Author: jimmidyson

pkg/handlers/generic/mutation/containerdrestart/restart.go renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/apply_patches.go

@@ -1,6 +1,6 @@
 // Copyright 2023 Nutanix. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-package containerdrestart
+package containerdapplypatchesandrestart
 
 import (
 	_ "embed"

pkg/handlers/generic/mutation/containerdrestart/inject.go renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/inject.go

@@ -1,9 +1,10 @@
 // Copyright 2023 Nutanix. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
-package containerdrestart
+package containerdapplypatchesandrestart
 
 import (
 	"context"
+	_ "embed"
 
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -18,13 +19,13 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/patches/selectors"
 )
 
-type containerdRestartPatchHandler struct{}
+type containerdApplyPatchesAndRestartPatchHandler struct{}
 
-func NewPatch() *containerdRestartPatchHandler {
-	return &containerdRestartPatchHandler{}
+func NewPatch() *containerdApplyPatchesAndRestartPatchHandler {
+	return &containerdApplyPatchesAndRestartPatchHandler{}
 }
 
-func (h *containerdRestartPatchHandler) Mutate(
+func (h *containerdApplyPatchesAndRestartPatchHandler) Mutate(
 	ctx context.Context,
 	obj *unstructured.Unstructured,
 	vars map[string]apiextensionsv1.JSON,
@@ -36,27 +37,34 @@ func (h *containerdRestartPatchHandler) Mutate(
 		"holderRef", holderRef,
 	)
 
-	file, command := generateContainerdRestartScript()
+	restartFile, restartCommand := generateContainerdRestartScript()
+
+	applyPatchesFile, applyPatchesCommand, err := generateContainerdApplyPatchesScript()
+	if err != nil {
+		return err
+	}
 
 	if err := patches.MutateIfApplicable(
 		obj, vars, &holderRef, selectors.ControlPlane(), log,
 		func(obj *controlplanev1.KubeadmControlPlaneTemplate) error {
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart script to control plane kubeadm config spec")
+			).Info("adding containerd apply patches and restart scripts to control plane kubeadm config spec")
 			obj.Spec.Template.Spec.KubeadmConfigSpec.Files = append(
 				obj.Spec.Template.Spec.KubeadmConfigSpec.Files,
-				file,
+				applyPatchesFile,
+				restartFile,
 			)
 
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart command to control plane kubeadm config spec")
+			).Info("adding containerd apply patches and restart commands to control plane kubeadm config spec")
 			obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands = append(
 				obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands,
-				command,
+				applyPatchesCommand,
+				restartCommand,
 			)
 
 			return nil
@@ -70,14 +78,22 @@ func (h *containerdRestartPatchHandler) Mutate(
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart script to worker node kubeadm config template")
-			obj.Spec.Template.Spec.Files = append(obj.Spec.Template.Spec.Files, file)
+			).Info("adding containerd apply patches and restart scripts to worker node kubeadm config template")
+			obj.Spec.Template.Spec.Files = append(
+				obj.Spec.Template.Spec.Files,
+				applyPatchesFile,
+				restartFile,
+			)
 
 			log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding containerd restart command to worker node kubeadm config template")
-			obj.Spec.Template.Spec.PreKubeadmCommands = append(obj.Spec.Template.Spec.PreKubeadmCommands, command)
+			).Info("adding containerd apply patches and restart commands to worker node kubeadm config template")
+			obj.Spec.Template.Spec.PreKubeadmCommands = append(
+				obj.Spec.Template.Spec.PreKubeadmCommands,
+				applyPatchesCommand,
+				restartCommand,
+			)
 
 			return nil
 		}); err != nil {

pkg/handlers/generic/mutation/containerdrestart/inject_test.go renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/inject_test.go

@@ -1,13 +1,15 @@
 // Copyright 2023 Nutanix. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0
 
-package containerdrestart
+package containerdapplypatchesandrestart
 
 import (
 	"testing"
 
 	. "github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
+	"github.com/stretchr/testify/assert"
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
 	runtimehooksv1 "sigs.k8s.io/cluster-api/exp/runtime/hooks/api/v1alpha1"
 
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/handlers/mutation"
@@ -16,12 +18,12 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/test/helpers"
 )
 
-func TestContainerdRestartPatch(t *testing.T) {
+func TestContainerdApplyPatchesAndRestartPatch(t *testing.T) {
 	gomega.RegisterFailHandler(Fail)
-	RunSpecs(t, "Containerd restart mutator suite")
+	RunSpecs(t, "Containerd apply patches and restart mutator suite")
 }
 
-var _ = Describe("Generate Containerd restart patches", func() {
+var _ = Describe("Generate Containerd apply patches and restart patches", func() {
 	// only add aws region patch
 	patchGenerator := func() mutation.GeneratePatches {
 		return mutation.NewMetaGeneratePatchesHandler("", helpers.TestEnv.Client, NewPatch()).(mutation.GeneratePatches)
@@ -35,7 +37,10 @@ var _ = Describe("Generate Containerd restart patches", func() {
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/kubeadmConfigSpec/files",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", containerdApplyPatchesScriptOnRemote,
+						),
 						gomega.HaveKeyWithValue(
 							"path", ContainerdRestartScriptOnRemote,
 						),
@@ -44,7 +49,8 @@ var _ = Describe("Generate Containerd restart patches", func() {
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/kubeadmConfigSpec/preKubeadmCommands",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
+						containerdApplyPatchesScriptOnRemoteCommand,
 						ContainerdRestartScriptOnRemoteCommand,
 					),
 				},
@@ -67,7 +73,10 @@ var _ = Describe("Generate Containerd restart patches", func() {
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/files",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
+						gomega.HaveKeyWithValue(
+							"path", containerdApplyPatchesScriptOnRemote,
+						),
 						gomega.HaveKeyWithValue(
 							"path", ContainerdRestartScriptOnRemote,
 						),
@@ -76,7 +85,8 @@ var _ = Describe("Generate Containerd restart patches", func() {
 				{
 					Operation: "add",
 					Path:      "/spec/template/spec/preKubeadmCommands",
-					ValueMatcher: gomega.ContainElements(
+					ValueMatcher: gomega.HaveExactElements(
+						containerdApplyPatchesScriptOnRemoteCommand,
 						ContainerdRestartScriptOnRemoteCommand,
 					),
 				},
@@ -96,3 +106,39 @@ var _ = Describe("Generate Containerd restart patches", func() {
 		})
 	}
 })
+
+func Test_generateContainerdApplyPatchesScript(t *testing.T) {
+	wantFile := bootstrapv1.File{
+		Path:        "/etc/containerd/apply-patches.sh",
+		Owner:       "",
+		Permissions: "0700",
+		Encoding:    "",
+		Append:      false,
+		//nolint:lll // just a long string
+		Content: `#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+declare -r TOML_MERGE_IMAGE="ghcr.io/mesosphere/toml-merge:v0.2.0"
+
+if ! ctr --namespace k8s.io images check "name==${TOML_MERGE_IMAGE}" | grep "${TOML_MERGE_IMAGE}" >/dev/null; then
+  ctr --namespace k8s.io images pull "${TOML_MERGE_IMAGE}"
+fi
+
+cleanup() {
+  ctr images unmount "${tmp_ctr_mount_dir}" || true
+}
+
+trap 'cleanup' EXIT
+
+readonly tmp_ctr_mount_dir="$(mktemp -d)"
+
+ctr --namespace k8s.io images mount "${TOML_MERGE_IMAGE}" "${tmp_ctr_mount_dir}"
+"${tmp_ctr_mount_dir}/usr/local/bin/toml-merge" -i --patch-file "/etc/containerd/cre.d/*.toml" /etc/containerd/config.toml
+`,
+	}
+	wantCmd := "/bin/bash /etc/containerd/apply-patches.sh"
+	file, cmd, _ := generateContainerdApplyPatchesScript()
+	assert.Equal(t, wantFile, file)
+	assert.Equal(t, wantCmd, cmd)
+}

pkg/handlers/generic/mutation/containerdapplypatchesandrestart/restart.go

@@ -0,0 +1,49 @@
+// Copyright 2023 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package containerdapplypatchesandrestart
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"text/template"
+
+	bootstrapv1 "sigs.k8s.io/cluster-api/bootstrap/kubeadm/api/v1beta1"
+)
+
+const (
+	tomlMergeImage                              = "ghcr.io/mesosphere/toml-merge:v0.2.0"
+	containerdPatchesDirOnRemote                = "/etc/containerd/cre.d"
+	containerdApplyPatchesScriptOnRemote        = "/etc/containerd/apply-patches.sh"
+	containerdApplyPatchesScriptOnRemoteCommand = "/bin/bash " + containerdApplyPatchesScriptOnRemote
+)
+
+//go:embed templates/containerd-apply-patches.sh.gotmpl
+var containerdApplyConfigPatchesScript []byte
+
+func generateContainerdApplyPatchesScript() (bootstrapv1.File, string, error) {
+	t, err := template.New("").Parse(string(containerdApplyConfigPatchesScript))
+	if err != nil {
+		return bootstrapv1.File{}, "", fmt.Errorf("failed to parse go template: %w", err)
+	}
+
+	templateInput := struct {
+		TOMLMergeImage string
+		PatchDir       string
+	}{
+		TOMLMergeImage: tomlMergeImage,
+		PatchDir:       containerdPatchesDirOnRemote,
+	}
+
+	var b bytes.Buffer
+	err = t.Execute(&b, templateInput)
+	if err != nil {
+		return bootstrapv1.File{}, "", fmt.Errorf("failed executing template: %w", err)
+	}
+
+	return bootstrapv1.File{
+		Path:        containerdApplyPatchesScriptOnRemote,
+		Content:     b.String(),
+		Permissions: "0700",
+	}, containerdApplyPatchesScriptOnRemoteCommand, nil
+}

pkg/handlers/generic/mutation/mirrors/templates/containerd-apply-patches.sh.gotmpl renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/templates/containerd-apply-patches.sh.gotmpl

@@ -9,8 +9,8 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/clustertopology/handlers/mutation"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/aws/mutation/cni/calico"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/auditpolicy"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/containerdapplypatchesandrestart"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/containerdmetrics"
-	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/containerdrestart"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/etcd"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/extraapiservercertsans"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/generic/mutation/httpproxy"
@@ -41,6 +41,6 @@ func MetaMutators(mgr manager.Manager) []mutation.MetaMutator {
 		// Containerd restart and readiness altogether could take ~5s.
 		// We want to keep patch independent of each other and not share any state.
 		// Therefore, We must always apply this patch regardless any other patch modified containerd configuration.
-		containerdrestart.NewPatch(),
+		containerdapplypatchesandrestart.NewPatch(),
 	}
 }

pkg/handlers/generic/mutation/containerdrestart/templates/containerd-restart.sh renamed to pkg/handlers/generic/mutation/containerdapplypatchesandrestart/templates/containerd-restart.sh

@@ -101,7 +101,7 @@ func (h *globalMirrorPatchHandler) Mutate(
 			if err != nil {
 				return err
 			}
-			files, commands, generateErr := generateFilesAndCommands(
+			files, generateErr := generateFilesAndCommands(
 				mirrorConfig,
 				globalMirror)
 			if generateErr != nil {
@@ -117,15 +117,6 @@ func (h *globalMirrorPatchHandler) Mutate(
 				files...,
 			)
 
-			log.WithValues(
-				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
-				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding PreKubeadmCommands to control plane kubeadm config spec")
-			obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands = append(
-				obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands,
-				commands...,
-			)
-
 			return nil
 		}); err != nil {
 		return err
@@ -143,7 +134,7 @@ func (h *globalMirrorPatchHandler) Mutate(
 			if err != nil {
 				return err
 			}
-			files, commands, generateErr := generateFilesAndCommands(
+			files, generateErr := generateFilesAndCommands(
 				mirrorConfig,
 				globalMirror)
 			if generateErr != nil {
@@ -156,12 +147,6 @@ func (h *globalMirrorPatchHandler) Mutate(
 			).Info("adding global registry mirror files to worker node kubeadm config template")
 			obj.Spec.Template.Spec.Files = append(obj.Spec.Template.Spec.Files, files...)
 
-			log.WithValues(
-				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
-				"patchedObjectName", ctrlclient.ObjectKeyFromObject(obj),
-			).Info("adding PreKubeadmCommands to worker node kubeadm config template")
-			obj.Spec.Template.Spec.PreKubeadmCommands = append(obj.Spec.Template.Spec.PreKubeadmCommands, commands...)
-
 			return nil
 		}); err != nil {
 		return err
@@ -173,26 +158,18 @@ func (h *globalMirrorPatchHandler) Mutate(
 func generateFilesAndCommands(
 	mirrorConfig *mirrorConfig,
 	globalMirror v1alpha1.GlobalImageRegistryMirror,
-) ([]bootstrapv1.File, []string, error) {
+) ([]bootstrapv1.File, error) {
 	// generate default registry mirror file
 	files, err := generateGlobalRegistryMirrorFile(mirrorConfig)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	// generate CA certificate file for registry mirror
 	mirrorCAFile := generateMirrorCACertFile(mirrorConfig, globalMirror)
 	files = append(files, mirrorCAFile...)
 	// generate Containerd registry config drop-in file
 	registryConfigDropIn := generateContainerdRegistryConfigDropInFile()
 	files = append(files, registryConfigDropIn...)
-	// generate Containerd apply patches script and command
-	var commands []string
-	applyPatchesFile, applyPatchesCommand, err := generateContainerdApplyPatchesScript()
-	if err != nil {
-		return nil, nil, err
-	}
-	files = append(files, applyPatchesFile...)
-	commands = append(commands, applyPatchesCommand)
 
-	return files, commands, err
+	return files, err
 }